Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. The Danger of the 'Data Dump': Why more information isn't always better!
Illustration showing the danger of a data dump, highlighting risks of oversharing sensitive personal information.
Best Practice Updates

The Danger of the 'Data Dump': Why more information isn't always better!

A recent ICO reprimand for the Staines Health Group, shows the importance of how special category deserves specific protection. This article highlights the risks associated with 'data dumping' when organisations overshare sensitive information excessively - when the sharing of sensitive safeguarding becomes the safeguarding issue.

👉 What happened 
A patient at the NHS GP surgery was diagnosed with a terminal illness and made a claim to their insurer. The insurer, on behalf of the patient, subsequently requested that five years of medical history be sent to the patient to review – before being sent to the insurer – in order to progress the claim.

Instead of five years of medical history being sent to the patient, Staines Health Group sent 23 years of medical records to the insurer. The patient believed this led to a smaller pay-out.

👉 Why this matters

🛡️Health records – sensitive personal data – require particularly robust measures to keep them safe. The loss of this kind of data can have distressing consequences for the people involved.

Read more about the ICO reprimand to Staines Health Group: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/gp-surgery-reprimanded-after-excessive-medical-history-of-terminally-ill-patient-sent-to-insurer/

An important factor in this case was that Staines Health Group did not have a written process for staff to follow when handling insurance requests or regular refresher data protection training for staff.

David Doodson, ICO Interim Head of Investigations, said: “All personal information must be handled with care but health records – sensitive personal data – require particularly robust measures. This is because the loss of this kind of data can have distressing consequences for those involved.

“We recommend other organisations take note of the lessons learned from the mistakes of Staines Health Group in this case.”

This incident clarifies:
• the need for written processes to be in place to support staff when handling personal data;
• the relevance of a quality assurance process when sharing personal data externally; and
• the importance of up-to-date and regular data protection training for staff.

Understanding 'Special Category' Data

In data protection law, not all data is created equal. Medical records, for example, are classified as special category data. Other examples of special category data found in schools:

  • Mental health conditions
  • SEND records
  • Staff records
  • Biometric data
  • Ethnicity
  • Gender, relating to specific health-related aspects

'Hidden' or Treated-as-Sensitive Data

  • Pupil premium/free school meal status
  • Safeguarding/child protection
  • Criminal Offence data (DBS checks)

Safeguarding vs Data Protection: The Ofsted Connection - How to prevent a 'Data Dump'

  • Data minimisation - only share what is needed.
  • Extra checks - always have a second pair of eyes to sign off on data before sending externally.
  • Share the data safely (i.e. for training purposes).
    • Use a Centralised, Secure Management System
      • These systems have appropriate access control which ensures only the required people have access to the data (least privilege).
      • Audit trails - who viewed the file and when can be tracked.
      • If paper copies are required, store in a locked fireproof cabinet.
    • Secure face-to-face briefings
      • Briefings by the DSL for training, with notes uploaded to a secure system.
      • Regular 'data hygiene' training.

Secure life cycle of a file

To help staff store records in a way that satisfies both Data Protection Law and Inspection Standards (Ofsted), you should frame it as the "Secure Life Cycle of a File."

Ofsted doesn't just want to see that you have the data; they want to see that it is stored in a way that ensures confidentiality, integrity, and availability.

To align with both the Ofsted Safeguarding Standards and Data Protection requirements, your checklist needs to bridge the gap between "keeping children safe" and "keeping data secure."

The ICO is clear: Data protection law is an enabler, not a barrier, to safeguarding. 

The "Physical vs. Digital" Storage Rule

While most schools have moved to digital systems, "legacy" paper files or temporary handwritten notes are often where breaches happen.

  • Digital (The Gold Standard): Records should be stored in a "walled garden" (e.g., CPOMS, MyConcern, or a restricted SharePoint). Never store safeguarding files on a local PC desktop or an unencrypted USB stick.

  • Physical (The Risk Zone): If you must have paper, it must be in a double-locked environment (e.g., a locked cabinet inside a locked office). Access keys should be restricted to the DSL and Headteacher only.

Questions for the headteacher:

✅ Is the DPO or data lead involved in our safeguarding audits?

✅  Is our SCR digital, encrypted, and MFA-protected?

✅ Do our staff know that 'Safeguarding' and 'Privacy' are two sides of the same coin?

✅ Is safeguarding information shared securely?

✅ Do we protect the privacy of our staff and students when sharing information?

©2025 Data Protection Education Ltd.

Search